Robust composition: towards a unified approach to access control and concurrency control

When separately written programs are composed so that they may cooperate, they may instead destructively interfere in unanticipated ways. These hazards limit the scale and functionality of the software systems we can successfully compose. This dissertation presents a framework for enabling those interactions between components needed for the cooperation we intend, while minimizing the hazards of destructive interference. Great progress on the composition problem has been made within the object paradigm, chiefly in the context of sequential, single-machine programming among benign components. We show how to extend this success to support robust composition of concurrent and potentially malicious components distributed over potentially malicious machines. We present E, a distributed, persistent, secure programming language, and CapDesk, a virus-safe desktop built in E, as embodiments of the techniques we explain.

[1]  Hans-Juergen Boehm,et al.  HP Laboratories , 2006 .

[2]  Roy Fielding,et al.  Architectural Styles and the Design of Network-based Software Architectures"; Doctoral dissertation , 2000 .

[3]  Len LaPadula,et al.  Secure Computer Systems: A Mathematical Model , 1996 .

[4]  A. Church The calculi of lambda-conversion , 1941 .

[5]  Carl M. Ellison Cybercash Establishing Identity Without Certification Authorities , 1996 .

[6]  Li Gong,et al.  A secure identity-based capability system , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[7]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[8]  Marvin Theimer,et al.  Cooperative Task Management Without Manual Stack Management , 2002, USENIX Annual Technical Conference, General Track.

[9]  William A. Wulf,et al.  HYDRA/C.Mmp, An Experimental Computer System , 1981 .

[10]  Henri E. Bal,et al.  Programming languages for distributed computing systems , 1989, CSUR.

[11]  Alan H. Karp,et al.  Polaris: virus-safe computing for Windows XP , 2006, CACM.

[12]  D. Thieffry,et al.  Modularity in development and evolution. , 2000, BioEssays : news and reviews in molecular, cellular and developmental biology.

[13]  K. Eric Drexler,et al.  Markets and computation: agoric open systems , 1988 .

[14]  William Kahan,et al.  Lecture Notes on the Status of IEEE Standard 754 for Binary Floating-Point Arithmetic , 1996 .

[15]  Diomidis Spinellis,et al.  Sandboxing Applications , 2001, USENIX Annual Technical Conference, FREENIX Track.

[16]  S. Brison The Intentional Stance , 1989 .

[17]  Per Brinch Hansen Monitors and concurrent Pascal: a personal history , 1993, HOPL-II.

[18]  Leslie Lamport,et al.  Distributed snapshots: determining global states of distributed systems , 1985, TOCS.

[19]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[20]  J. E. Rodrigues,et al.  A GRAPH MODEL FOR PARALLEL COMPUTATIONS , 1969 .

[21]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[22]  Cliff B. Jones,et al.  The Early Search for Tractable Ways of Reasoning about Programs , 2003, IEEE Ann. Hist. Comput..

[23]  Martín Abadi,et al.  Composing Specifications , 1989, REX Workshop.

[24]  Paul A. Karger,et al.  An Augmented Capability Architecture to Support Lattice Security and Traceability of Access , 1984, 1984 IEEE Symposium on Security and Privacy.

[25]  Daniel G. Bobrow,et al.  Definition Groups: Making Sources into First-Class Objects , 1987, Research Directions in Object-Oriented Programming.

[26]  C. A. R. Hoare,et al.  Record Handling , 1965 .

[27]  Robbert van Renesse,et al.  Using Sparse Capabilities in a Distributed Operating System , 1986, ICDCS.

[28]  Niklaus Wirth,et al.  Program development by stepwise refinement , 1971, CACM.

[29]  Robert H. Halstead,et al.  MULTILISP: a language for concurrent symbolic computation , 1985, TOPL.

[30]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[31]  Peter C. Gutmann Cryptographic Security Architecture: Design and Verification , 2003 .

[32]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[33]  Ehud Shapiro,et al.  A subset of Concurrent Prolog and its interpreter , 1988 .

[34]  Martín Abadi,et al.  A Logical Account of NGSCB , 2004, FORTE.

[35]  Mario Tinto Design and Evaluation of INFOSEC Systems: The Computer Security Contribution to the Composition Discussion , 1992 .

[36]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[37]  Carl Hewitt,et al.  The challenge of open systems: current logic programming methods may be insufficient for developing the intelligent systems of the future , 1985 .

[38]  Mark S. Miller The open society and its media , 1995 .

[39]  Drew Whitelegg,et al.  The Malbone Street Wreck , 2000 .

[40]  Lenwood S. Heath,et al.  Stack and Queue Layouts of Posets , 1997, SIAM J. Discret. Math..

[41]  Alan H. Karp,et al.  Using Split Capabilities for Access Control , 2003, IEEE Softw..

[42]  Jonathan S. Shapiro,et al.  Paradigm Regained: Abstraction Mechanisms for Access Control , 2003, ASIAN.

[43]  Alan C. Kay The early history of Smalltalk , 1993, HOPL-II.

[44]  Eric A. Brewer,et al.  USENIX Association Proceedings of HotOS IX : The 9 th Workshop on Hot Topics in Operating Systems , 2003 .

[45]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[46]  R. Karp,et al.  Properties of a model for parallel computations: determinacy , 1966 .

[47]  Anita K. Jones,et al.  Protection in programmed systems. , 1973 .

[48]  David E. Culler,et al.  SEDA: an architecture for well-conditioned, scalable internet services , 2001, SOSP.

[49]  Idit Keidar,et al.  Group communication specifications: a comprehensive study , 2001, CSUR.

[50]  Jonathan Rees,et al.  A security kernel based on the lambda-calculus , 1995 .

[51]  A. Michael Froomkin TOWARD A CRITICAL THEORY OF CYBERSPACE , 2002 .

[52]  Peter Buneman,et al.  Types and persistence in database programming languages , 1987, CSUR.

[53]  Markus S. Miller,et al.  Towards a Verified , General-Purpose Operating System Kernel † , 2004 .

[54]  Matthias Felleisen,et al.  Contracts for higher-order functions , 2002, ICFP '02.

[55]  Edward Wobber,et al.  Network objects , 1994, SOSP '93.

[56]  Deyu Hu,et al.  J-Kernel: A Capability-Based Operating System for Java , 2001, Secure Internet Programming.

[57]  Joe Armstrong,et al.  Making reliable distributed systems in the presence of software errors , 2003 .

[58]  Martín Abadi,et al.  Secure network objects , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[59]  John C. Reynolds,et al.  GEDANKEN—a simple typeless language based on the principle of completeness and the reference concept , 1970, Commun. ACM.

[60]  C. A. R. Hoare,et al.  Monitors: an operating system structuring concept , 1974, CACM.

[61]  Mark S. Granovetter The Strength of Weak Ties , 1973, American Journal of Sociology.

[62]  Keith Marzullo,et al.  The Bancomat problem: an example of resource allocation in a partitionable asynchronous system , 2003, Theor. Comput. Sci..

[63]  James E. Donnelley Components of a Network Operating System , 1979, Comput. Networks.

[64]  Benoit B. Mandelbrot,et al.  Fractal Geometry of Nature , 1984 .

[65]  Martín Abadi,et al.  Secure Network Objects , 1999, Secure Internet Programming.

[66]  F. Hayek Economics and knowledge , 1937 .

[67]  Jonathan S. Shapiro,et al.  The Structure of Authority: Why Security Is Not a Separable Concern , 2004, MOZ.

[68]  Edsger W. Dijkstra,et al.  The humble programmer , 1972, CACM.

[69]  John H. Reppy,et al.  Concurrent programming in ML , 1999 .

[70]  Thomas H. Bredt A survey of models for parallel computing , 1970 .

[71]  S. Clearwater Market-based control: a paradigm for distributed resource allocation , 1996 .

[72]  Stephen N. Zilles,et al.  Programming with abstract data types , 1974, SIGPLAN Symposium on Very High Level Languages.

[73]  簡聰富,et al.  物件導向軟體之架構(Object-Oriented Software Construction)探討 , 1989 .

[74]  Jim Gray,et al.  Why Do Computers Stop and What Can Be Done About It? , 1986, Symposium on Reliability in Distributed Software and Database Systems.

[75]  Yair Amir,et al.  Replication using group communication over a partitioned network (שכפול באמצעות תקשרת קבוצות מעל רשת דינמית.) , 1995 .

[76]  Kristen Nygaard,et al.  SIMULA: an ALGOL-based simulation language , 1966, CACM.

[77]  Fred B. Schneider,et al.  Least Privilege and More , 2003, IEEE Secur. Priv..

[78]  James H. Morris,et al.  Types are not sets , 1973, POPL.

[79]  Jonathan Rees,et al.  Revised3 report on the algorithmic language scheme , 1986, SIGP.

[80]  Richard J. Lipton,et al.  A Linear time algorithm for deciding security , 1976, 17th Annual Symposium on Foundations of Computer Science (sfcs 1976).

[81]  Christian Scheideler Towards a paradigm for robust distributed algorithms and data structures , 2006 .

[82]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[83]  Davide Sangiorgi,et al.  Communicating and Mobile Systems: the π-calculus, , 2000 .

[84]  Jonathan S. Shapiro,et al.  Concurrency among strangers: programming in E as plan coordination , 2005 .

[85]  Daniel G. Bobrow,et al.  Vulcan: Logical Concurrent Objects , 1987, Research Directions in Object-Oriented Programming.

[86]  B. J. Mailloux,et al.  Report of Algorithmic Language ALGOL 68 , 1969 .

[87]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[88]  Butler W. Lampson,et al.  Reflections on an operating system design , 1976, CACM.

[89]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[90]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[91]  Steve Vinoski,et al.  CORBA: integrating diverse applications within distributed heterogeneous environments , 1997, IEEE Commun. Mag..

[92]  Dawson R. Engler,et al.  RacerX: effective, static detection of race conditions and deadlocks , 2003, SOSP '03.

[93]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[94]  Mario Tokoro,et al.  An Object Calculus for Asynchronous Communication , 1991, ECOOP.

[95]  Ajay Chander,et al.  A state-transition model of trust management and access control , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[96]  Alberto Montresor,et al.  System support for partition-aware network applications , 1998, Proceedings. 18th International Conference on Distributed Computing Systems (Cat. No.98CB36183).

[97]  Lawrence Snyder,et al.  The transfer of information and authority in a protection system , 1979, SOSP '79.

[98]  Cliff B. Jones,et al.  Specification and Design of (Parallel) Programs , 1983, IFIP Congress.

[99]  Ted Kaehler,et al.  Betting, bribery, and bankruptcy - A simulated economy that learns to predict , 1989, Digest of Papers. COMPCON Spring 89. Thirty-Fourth IEEE Computer Society International Conference: Intellectual Leverage.

[100]  Alan H. Karp Enforce POLA on processes to control viruses , 2003, CACM.

[101]  Edsger W. Dijkstra,et al.  The humble programmer , 1972, CACM.

[102]  K. Eric Drexler,et al.  Comparative Ecology: A Computational Perspective , 1988 .

[103]  Morris Sloman,et al.  The source of authority for commercial access control , 1988, Computer.

[104]  Carl Hewitt,et al.  The incremental garbage collection of processes , 1977, Artificial Intelligence and Programming Languages.

[105]  Jr. Guy L. Steele,et al.  Rabbit: A Compiler for Scheme , 1978 .

[106]  Peter Van Roy,et al.  Concepts, Techniques, and Models of Computer Programming , 2004 .

[107]  James C. Browne,et al.  A Graph Model for Parallel Computations Expressed in the Computation Structures Language , 1986, International Conference on Parallel Processing.

[108]  HardyNorm The Confused Deputy , 1988 .

[109]  Peter Wegner,et al.  Dimensions of object-based language design , 1987, OOPSLA '87.

[110]  Marc Shapiro,et al.  Structure and Encapsulation in Distributed Systems: The Proxy Principle , 1986, ICDCS.

[111]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[112]  Mark S. Miller,et al.  Capability-Based Financial Instruments , 2000, Financial Cryptography.

[113]  Daniel G. Bobrow,et al.  Channels: A Generalization of Streams , 1988, ICLP.

[114]  Aaron J. Goldberg,et al.  Smalltalk-72 instruction manual , 1976 .

[115]  John K. Ousterhout,et al.  Why Threads Are A Bad Idea (for most purposes) , 2003 .

[116]  Daniel P. Friedman,et al.  CONS Should Not Evaluate its Arguments , 1976, ICALP.

[117]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[118]  Robert Englander Developing Java Beans , 1997 .

[119]  Carl Hewitt,et al.  Viewing Control Structures as Patterns of Passing Messages , 1977, Artif. Intell..

[120]  Henry G. Baker,et al.  Actors and Continuous Functionals , 1978, Formal Description of Programming Concepts.

[121]  D. L. Parnas,et al.  On the criteria to be used in decomposing systems into modules , 1972, Software Pioneers.

[122]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[123]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[124]  Ka-Ping Yee,et al.  Aligning Security and Usability , 2004, IEEE Secur. Priv..

[125]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[126]  Gerald J. Sussman,et al.  Structure and interpretation of computer programs , 1985, Proceedings of the IEEE.

[127]  James Noble,et al.  Scale-free geometry in OO programs , 2005, CACM.

[128]  Chris Dockx Abstract , 2003, Veterinary Record.

[129]  Zhenyu Qian,et al.  A formal specification of Java class loading , 2000, OOPSLA '00.

[130]  Kenneth P. Birman,et al.  Exploiting virtual synchrony in distributed systems , 1987, SOSP '87.

[131]  Rajeev Motwani,et al.  On the decidability of accessibility problems (extended abstract) , 2000, STOC '00.

[132]  Andrew P. Black Supporting Distributed Applications: Experience with Eden , 1985, SOSP.

[133]  Robin Milner,et al.  Calculi for Synchrony and Asynchrony , 1983, Theor. Comput. Sci..

[134]  Amer Diwan,et al.  Connectivity-based garbage collection , 2003, OOPSLA '03.

[135]  Roger Riggs,et al.  A Distributed Object Model for the Java System , 1996, Comput. Syst..

[136]  Robin Milner,et al.  A proposal for standard ML , 1984, LFP '84.

[137]  Hemma Prafullchandra,et al.  Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit 1.2 , 1997, USENIX Symposium on Internet Technologies and Systems.

[138]  Barbara Liskov,et al.  Guardians and Actions: Linguistic Support for Robust, Distributed Programs , 1983, TOPL.

[139]  V. Stavridou,et al.  Abstraction and specification in program development , 1988 .

[140]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[141]  C. R. Landau The checkpoint mechanism in KeyKOS , 1992, [1992] Proceedings of the Second International Workshop on Object Orientation in Operating Systems.

[142]  A. Cau,et al.  Parallel composition of assumption-commitment specifications a unifying approach for shared variable and distributed message passing concurrency , 1995 .

[143]  F. Hayek The economic nature of the firm: The use of knowledge in society , 1945 .

[144]  David A. Wagner,et al.  A Security Analysis of the Combex DarpaBrowser Architecture , 2002 .

[145]  Mark S. Miller,et al.  An automated auction in ATM network bandwidth , 1996 .

[146]  David D. Redell,et al.  NAMING AND PROTECTION IN EXTENDABLE OPERATING SYSTEMS , 1974 .

[147]  Jacob T. Schwartz,et al.  Relativity in Illustrations , 1962 .

[148]  Daniel G. Bobrow,et al.  Logical Secrets , 1988, ICLP.

[149]  HERBERT A. SIMON,et al.  The Architecture of Complexity , 1991 .

[150]  Joule : Distributed Application Foundations , .

[151]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[152]  Ole Lehrmann Madsen Abstraction and Modularization in the BETA Programming Language , 2000, JMLC.

[153]  Brian Cantwell Smith,et al.  Reflection and semantics in LISP , 1984, POPL.

[154]  Per Brinch Hansen,et al.  Monitors and concurrent Pascal: a personal history , 1993, HOPL-II.

[155]  Luca Cardelli,et al.  Program fragments, linking, and modularization , 1997, POPL '97.

[156]  Martín Abadi,et al.  Conjoining specifications , 1995, TOPL.

[157]  Barbara Liskov,et al.  Reducing cross domain call overhead using batched futures , 1994, OOPSLA '94.

[158]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[159]  Robert Cartwright,et al.  Soft typing , 2004, SIGP.

[160]  Robert Tappan Morris,et al.  Multiprocessor Support for Event-Driven Programs , 2003, USENIX Annual Technical Conference, General Track.

[161]  David P. Reed,et al.  Naming and synchronization in a decentralized computer system , 1978 .

[162]  R. Kent Dybvig,et al.  Revised5 Report on the Algorithmic Language Scheme , 1986, SIGP.

[163]  Alan H. Karp,et al.  The Client Utility as a Peer-to-Peer System , 2002, NETWORKING Workshops.

[164]  Mark S. Miller,et al.  Capability Myths Demolished , 2003 .

[165]  B. J. Mailloux,et al.  Report on the Algorithmic Language ALGOL 68 , 1969 .

[166]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[167]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[168]  Liuba Shrira,et al.  Promises: linguistic support for efficient asynchronous procedure calls in distributed systems , 1988, PLDI '88.

[169]  Richard F. Rashid,et al.  Extending a capability based system into a network environment , 1986, SIGCOMM '86.

[170]  Peter Van Roy,et al.  The Oz-E Project: Design Guidelines for a Secure Multiparadigm Programming Language , 2004, MOZ.

[171]  Friedrich L. Bauer,et al.  Revised report on the algorithm language ALGOL 60 , 1963, CACM.

[172]  Marshall Abrams,et al.  Abstraction and Refinement of Layered Security Policy , 2006 .

[173]  David Harel,et al.  On visual formalisms , 1988, CACM.

[174]  John McCarthy,et al.  Recursive functions of symbolic expressions and their computation by machine, Part I , 1959, Commun. ACM.

[175]  Daniel G. Bobrow,et al.  Objects in Concurrent Logic Programming Languages , 1986, OOPSLA.

[176]  Bertrand Meyer,et al.  Applying 'design by contract' , 1992, Computer.

[177]  Sam Weber,et al.  Verifying the EROS confinement mechanism , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[178]  Richard J. Lipton,et al.  Social processes and proofs of theorems and programs , 1977, POPL.

[179]  Robert Tappan Morris,et al.  Event-driven programming for robust software , 2002, EW 10.

[180]  Scott F. Smith,et al.  Type Inference for First-Class Messages with Match-Functions , 2002 .

[181]  E. Drexler,et al.  Incentive engineering for computational resource management , 1988 .

[182]  Gerald J. Popek,et al.  Formal requirements for virtualizable third generation architectures , 1974, SOSP '73.

[183]  Enrico Gregori,et al.  Revised Papers from the NETWORKING 2002 Workshops on Web Engineering and Peer-to-Peer Computing , 2002 .

[184]  Leslie Lamport,et al.  The part-time parliament , 1998, TOCS.

[185]  David Robson,et al.  Smalltalk-80: The Language and Its Implementation , 1983 .

[186]  Carl Hewitt,et al.  A Universal Modular ACTOR Formalism for Artificial Intelligence , 1973, IJCAI.

[187]  Maurice V. Wilkes,et al.  The Cambridge CAP computer and its operating system (Operating and programming systems series) , 1979 .

[188]  Bjarne Stroustrup,et al.  The Annotated C++ Reference Manual , 1990 .

[189]  Peter Van Roy,et al.  A Practical Formal Model for Safety Analysis in Capability-Based Systems , 2005, TGC.

[190]  Malcolm P. Atkinson,et al.  PS-algol: an algol with a persistent heap , 1982, SIGP.

[191]  Harlan D. Mills Software Development , 1976, IEEE Transactions on Software Engineering.

[192]  Gul A. Agha,et al.  ACTORS - a model of concurrent computation in distributed systems , 1985, MIT Press series in artificial intelligence.

[193]  Norman Hardy,et al.  KeyKOS architecture , 1985, OPSR.

[194]  Ehud Shapiro,et al.  Meta interpreters for real , 1988 .

[195]  Robert S. Fabry,et al.  Capability-based addressing , 1974, CACM.

[196]  Vijay A. Saraswat,et al.  Concurrent constraint programming , 1989, POPL '90.

[197]  Alan H. Karp,et al.  The Client Utility Architecture: The Precursor to E-speak , 2001 .

[198]  Eugene W. Stark,et al.  A Proof Technique for Rely/Guarantee Properties , 1985, FSTTCS.

[199]  Edward A. Lee The problem with threads , 2006, Computer.

[200]  Ivar Jacobson,et al.  Object Design: Roles, Responsibilities, and Collaborations , 2002 .

[201]  鈴木 昭二,et al.  Reliable Distributed Systems , 1998 .

[202]  John McCarthy,et al.  LISP 1.5 Programmer's Manual , 1962 .

[203]  Ka-Ping Yee,et al.  User Interaction Design for Secure Systems , 2002, ICICS.

[204]  James E. Donnelley A Distributed Capability Computing System (DCCS) , 1976, ICCC.

[205]  David P. Reed Designing croquet's TeaTime: a real-time, temporal environment for active object cooperation , 2005, OOPSLA '05.

[206]  James H. Morris Protection in programming languages , 1973, CACM.

[207]  Bertrand Meyer,et al.  Reusability: The Case for Object-Oriented Design , 1987, IEEE Software.

[208]  Benjamin C. Pierce,et al.  Pict: a programming language based on the Pi-Calculus , 2000, Proof, Language, and Interaction.

[209]  Κ. ΖUSE Über den Plankalkül , 1959 .

[210]  Roger M. Needham,et al.  On the duality of operating system structures , 1979, OPSR.

[211]  J. Altham Naming and necessity. , 1981 .

[212]  Jonathan Rees,et al.  T: a dialect of Lisp or LAMBDA: The ultimate software tool , 1982, LFP '82.

[213]  Craig Schaffert,et al.  Abstraction mechanisms in CLU , 1977, Commun. ACM.

[214]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[215]  Sean W. Smith,et al.  Security and Privacy for Partial Order Time , 1994 .

[216]  Steven Skiena,et al.  Implementing discrete mathematics - combinatorics and graph theory with Mathematica , 1990 .

[217]  William D. Clinger,et al.  Foundations of Actor Semantics , 1981 .

[218]  L. Lachmann,et al.  Capital and its structure , 1956 .

[219]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .